Hello all!
Trying to setup fwknop into a iptables firewall (fc13) with external (eth0)
and internal (eth1) interfaces. I did all gnupg steps what howto tells to do
(http://www.cipherdyne.org/fwknop/docs/gpghowto.html). No problems with
that, both firewall and client now has functional public and private keys.
My test setup is like this:
client 192.168.171.1
--------------------
|
|
------------------------------
fw-public eth0 192.168.171.100
fw-private eth1 10.11.12.1
------------------------------
|
|
-----------------
server 10.11.12.5
My access.conf has following settings:
<clip>
SOURCE: ANY;
OPEN_PORTS: tcp/22;
GPG_REMOTE_ID: CLIENTID;
GPG_DECRYPT_ID: FIREWALLID;
GPG_DECRYPT_PW: password;
GPG_HOME_DIR: /root/.gnupg;
FW_ACCESS_TIMEOUT: 60;
ENABLE_FORWARD_ACCESS: Y;
<clip>
I have also in fwknopd.conf line saying that:
<clip>
ENABLE_IPT_FORWARDING Y;
ENABLE_IPT_SNAT Y;
SNAT_TRANSLATE_IP 10.11.12.1;
<clip>
I am running fwknopd in firewall with command:
fwknopd -vvv -f -c /etc/fwknop/fwknopd.conf -a /etc/fwknop/access.conf
...and client with command:
fwknop -A tcp/22 --nat-access 10.11.12.5:22 -D 192.168.171.100 -a
192.168.171.1 \
--gpg-recipient-key FIREWALLID --gpg-signer-key CLIENTID -vvv
...and suprise! I can connect from client to firewall using ssh, and
connection is forwarded to server. So everything is working like all docs
and forum(s) are saying. BUT my biggest problem is that I do NOT
want to make NAT from firewall to server, I would like to make setup where
my client authenticates to firewall and after that fwknopd creates iptables
rule so my client can open ssh connection to a REAL server 10.11.12.5, not
to a firewall itself!
Like now I have to make ssh command in client:
ssh [email protected]
But I would like to make setup, where I can command:
ssh [email protected]
Routing is not the problem...problem is that I'am quite newbie with fwknop
and don't have a glue how to make this happen...
Basic idea is that client never opens ssh (or whatever) connection to a
firewall's public address directly (after SPA), always to original server OR
another public address which is NATted to a original server by firewall.
Any help would be appreciated!
Cheers,
Matti
--
palaste-at-gmail-com
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
